Skip to content

Core: Extract shared credential rotation pre-condition check (Closes #4026)#4420

Open
visit2rahul wants to merge 2 commits into
apache:mainfrom
visit2rahul:fix/dedup-credential-preconditions
Open

Core: Extract shared credential rotation pre-condition check (Closes #4026)#4420
visit2rahul wants to merge 2 commits into
apache:mainfrom
visit2rahul:fix/dedup-credential-preconditions

Conversation

@visit2rahul
Copy link
Copy Markdown

@visit2rahul visit2rahul commented May 13, 2026

Description:
Closes #4026

Summary

Extracts the duplicated PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE pre-condition check from PolarisAuthorizerImpl and RangerPolarisAuthorizer into a shared AuthorizationPreConditions utility class.

Both authorizer implementations had identical logic to block non-ROTATE_CREDENTIALS operations when a principal is flagged for mandatory credential rotation. This duplication was flagged during the PR #3928
review.

Changes

  • New AuthorizationPreConditions.checkCredentialRotationRequired() utility method in polaris-core
  • PolarisAuthorizerImpl and RangerPolarisAuthorizer now delegate to the shared method
  • Removed unused PolarisEntityConstants import from RangerPolarisAuthorizer

Test Plan

  • polaris-core:test — auth tests pass
  • polaris-extensions-auth-ranger-tests:test — Ranger tests pass
  • Spotless and checkstyle pass

@visit2rahul
Core: Extract shared credential rotation pre-condition check (apache#…
6b957c9 
…4026)

Move the duplicated PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE check
from PolarisAuthorizerImpl and RangerPolarisAuthorizer into a shared
AuthorizationPreConditions utility class.

Both authorizer implementations had identical logic to enforce credential
rotation before allowing non-ROTATE_CREDENTIALS operations. This change
eliminates the duplication as suggested in the PR apache#3928 review.
@github-project-automation github-project-automation Bot moved this to PRs In Progress in Basic Kanban Board May 13, 2026
jbonofre
jbonofre reviewed May 13, 2026
View reviewed changes
Comment thread ...ger/impl/src/main/java/org/apache/polaris/extension/auth/ranger/RangerPolarisAuthorizer.java Outdated
Copy link
Copy Markdown
Member

@jbonofre jbonofre May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is not used anymore with your change.

Copy link
Copy Markdown
Author

@visit2rahul visit2rahul May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 4244163 — removed OPERATION_NOT_ALLOWED_FOR_USER_ERROR from RangerPolarisAuthorizer. Confirmed via grep it wasn't referenced anywhere after the extraction.

Comment thread polaris-core/src/main/java/org/apache/polaris/core/auth/AuthorizationPreConditions.java
* Common pre-condition checks shared across authorizer implementations for credential-related
* operations.
*/
public final class AuthorizationPreConditions {
Copy link
Copy Markdown
Member

@jbonofre jbonofre May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest to add a unit test with the different conditions:
- flag off, no exception, regardless of property/op
- flag on + rotation property absent, no exception
- flag on + rotation property present + op == ROTATE_CREDENTIALS, no exception
- flag on + rotation property present + op != ROTATE_CREDENTIALS, ForbiddenException

Copy link
Copy Markdown
Author

@visit2rahul visit2rahul May 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jbonofre Added in 4244163AuthorizationPreConditionsTest covers all four cases:

  • testFlagOff_noException — flag off, no exception regardless of property/op
  • testFlagOn_nonRotationOp_propertyNotSet_noException — flag on + property absent
  • testFlagOn_rotateCredentialsOp_noException — flag on + property present + op == ROTATE_CREDENTIALS
  • testFlagOn_nonRotationOp_propertySet_throwsForbidden — flag on + property present + op != ROTATE_CREDENTIALS

@visit2rahul
Copy link
Copy Markdown
Author

visit2rahul commented May 14, 2026
edited
Loading

@jbonofre thanks for the review — addressed both points in 4244163:

  • Removed the unused OPERATION_NOT_ALLOWED_FOR_USER_ERROR constant from RangerPolarisAuthorizer (your L58 — confirmed it wasn't referenced anywhere after the extraction).
  • Added AuthorizationPreConditionsTest covering all four cases per your L28 suggestion:
    • testFlagOff_noException — flag off, no exception regardless of property/op
    • testFlagOn_nonRotationOp_propertyNotSet_noException — flag on + property absent, no exception
    • testFlagOn_rotateCredentialsOp_noException — flag on + property present + op == ROTATE_CREDENTIALS, no exception
    • testFlagOn_nonRotationOp_propertySet_throwsForbidden — flag on + property present + op != ROTATE_CREDENTIALS, ForbiddenException

@visit2rahul visit2rahul requested a review from jbonofre May 14, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbonofre jbonofre Awaiting requested review from jbonofre

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Eliminate duplicate pre-condition checks while handling operations ROTATE_CREDENTIALS and RESET_CREDENTIALS across authorizer implementations

2 participants

@visit2rahul @jbonofre